Skip to main content

WhatsApp began rolling out username reservations this week, ahead of a broader public launch planned for later in 2026, and the feature is already drawing scrutiny from security experts and regulators in India, the app’s single largest market with more than 500 million users. In early testing, handles like “indiamodi,” “rbi_verify,” and “shahrukh.actor” were all unclaimed and available to anyone who got there first. The name of a sitting prime minister, a central bank, and one of the country’s most recognized film stars were all up for grabs.

The username feature replaces phone numbers as the primary contact identifier on WhatsApp. Instead of sharing a mobile number, users create a unique handle that others use to contact them. Meta’s stated rationale is privacy: people should be able to chat with new contacts or join groups without exposing their phone numbers. Phone numbers carry a lot of personal information, and many users would prefer not to hand theirs to strangers in group chats or business exchanges. The same quality that makes usernames attractive for privacy makes them attractive for fraud: you can present yourself as whoever you claim to be.

How the Feature Actually Works

Usernames can be anywhere from three to 35 characters long and may include Latin letters, numbers, periods, and underscores. WhatsApp enabled the reservation phase ahead of the full launch to give users time to choose their preferred handles while the company gathered feedback and refined the system before its wider rollout later this year.

Usernames are optional, not mandatory, and users can continue using WhatsApp without creating one. Usernames will not be searchable, similar to how users cannot currently search for phone numbers on the platform. Initiating a conversation requires knowing someone’s exact username. That limits random targeting: a bad actor cannot browse a directory of handles looking for victims. It does not solve the impersonation problem, because the real threat is targeted rather than random. Scammers do not need a directory when they can pick a name that looks official and wait for a victim to arrive.

WhatsApp has also announced a “username key” feature as an optional additional layer of privacy protection for users who want it.

Meta told a CNBC report that it plans to limit the number of new people an account can contact, block repeated attempts to guess usernames, and enable systems to detect and remove activity that demonstrates common patterns associated with impersonation or abuse.

The WhatsApp Username Impersonation Problem Is Not Theoretical

A man holding a sign reading 'FRAUD' in a tech environment, highlighting cybersecurity concerns.
Scammers actively exploit the username feature to impersonate legitimate accounts and defraud users. Image Credit: Pexels

The handles found unclaimed during early testing illustrate the gap between policy and execution. “indiamodi,” “shahrukh.actor,” “teamamitabh,” “ambanijio,” and “rbi_verify” were all still available to reserve during testing, despite Meta’s stated policy of proactively holding high-profile names.

A WhatsApp spokesperson said the company has “held the highest-profile names – think public figures, government entities, celebrities, verified Meta accounts – so they can only ever be claimed by their legitimate owners and lookalike derivatives of known names are held as well.” The word “some” appears repeatedly in Meta’s statements. Some public figures. Some variations. Which ones, and decided by whom, remains unexplained.

Paytm founder Vijay Shekhar Sharma identified the practical problem clearly: verified usernames coexisting alongside nearly identical unverified handles could confuse users and make impersonation easier. A message from “@rbi_helpdesk” during what appears to be a banking query feels more credible than a cold call from an unknown number, even if it is equally fraudulent. The username creates the appearance of official communication where none exists.

India’s Government Moves to Halt the Rollout

Concrete BR Ambedkar Administrative Building nestled in green garden, Chandigarh.
Indian authorities have moved to suspend the username rollout due to security concerns. Image Credit: Pexels

India ordered Meta to immediately pause the rollout of WhatsApp’s username feature and sought a detailed reply within three days. Moneycontrol established that this is the first known instance of the Indian government asking a technology company to hold a major consumer feature before its public rollout, citing cybersecurity and fraud concerns.

India’s IT ministry directed WhatsApp not to roll out the usernames feature in India, issuing a formal notice over concerns that the feature could increase cybercrime. The ministry questioned why regulatory action should not follow under India’s IT laws and specifically warned that the feature could materially increase fraud, phishing, digital arrest scams, and impersonation attacks. It also flagged that usernames resembling those of individuals, public authorities, financial institutions, and government agencies could facilitate identity spoofing.

MeitY invoked Section 79 of the Information Technology Act 2000, along with IT Rules from 2021, and Sections 66C and 66D dealing with identity theft and cheating by impersonation using a computer resource. Section 66D specifically targets cheating by personation using communication devices, which maps directly onto the scenario regulators are worried about: someone contacting a victim under a fake official-sounding handle and extracting money or personal information.

Authorities argued that hiding phone numbers during a first interaction removes one of the easiest ways users currently verify who is contacting them. Although every WhatsApp account remains linked to a verified mobile number internally, the government wants to understand how quickly fake accounts can be traced, how impersonation complaints will be handled, and whether WhatsApp’s anti-abuse systems are strong enough to stop misuse.

The Digital Arrest Scam Context

Senior woman with gray hair talks on mobile phone against a blue background.
Digital arrest scams leverage username impersonation to convince victims they face legal consequences. Image Credit: Pexels

The “digital arrest” scam is a form of organized cybercrime in which perpetrators impersonate law enforcement, government agencies, banks, or courier companies and coerce victims into transferring money by falsely claiming the victim is under investigation or has been “digitally arrested.” The crime is particularly prevalent in India, which explains why regulators moved quickly.

In 2025, Indians lost an estimated ₹22,495 crore (roughly US$2.7 billion) to cyber fraud, according to data from India’s Ministry of Home Affairs and the Indian Cyber Crime Coordination Centre. The money figure was roughly flat against 2024, but complaint volume jumped 24% to about 2.81 million cases.

More than 17,000 digital arrest complaints were filed in 2025, with losses totalling ₹644 crore, according to MHA data compiled by the Indian Cyber Crime Coordination Centre. Victims include a retired Delhi doctor couple who lost roughly ₹15 crore, and a 92-year-old in Delhi drained of ₹2 crore.

Indian authorities reported that nearly 9,400 suspicious WhatsApp accounts were blocked across India since January 2026 alone, accounts allegedly involved in cyber fraud including impersonation-based scams targeting citizens. These scams already work, at scale, using existing WhatsApp infrastructure. A username that looks like it belongs to a government body or a bank adds another layer of false credibility to an already effective operation.

Civil Liberties Groups Push Back Against the Government

The Internet Freedom Foundation challenged the legal basis of the MeitY notice, arguing that it seeks to create a product approval regime without statutory authority. According to the digital rights organization, the notice “has no clear basis in law” and represents “an attempt by the executive to decide what a company may build and ship, which no statute permits.”

The IFF argued that Section 79 is a safe harbour provision governing platform liability, not a licensing power over what features a company may ship, and that Sections 66C and 66D target individuals who commit identity theft, not platforms whose tools are misused by others.

The group also pointed to a similar MeitY directive issued to AI companies in March 2024, requiring prior permission before deploying under-tested models. That directive was withdrawn within a fortnight after similar criticism, which suggests this kind of pre-emptive regulatory letter does not always hold.

The IFF’s position is not that the impersonation risk is fake. “Impersonation and fraud are real risks,” the group said, “but they are met by enforcing the criminal law against those who commit them” – not by the ministry deciding by private letter what features Indians may use.

Meta’s Cross-App Identity and the Longer Question

Top view of a desk with social media hashtag, keyboard, and analytics chart in modern design.
Meta plans to integrate usernames across WhatsApp, Instagram, and Facebook for unified identity. Image Credit: Pexels

Letting users claim their existing Facebook and Instagram usernames on WhatsApp may reduce impersonation, but it also demonstrates how easily Meta can consolidate identity across its own apps, even as users still cannot take that identity, or their contacts, to a rival platform.

For individual users who want to protect their phone number, claiming a consistent handle across WhatsApp, Instagram, and Facebook looks like a convenience. For Meta, it is an identity consolidation event across three of the world’s most used platforms, with over three billion WhatsApp users alone. The privacy gain for users and the data integration gain for Meta are not in conflict, which is part of why the feature is being rolled out.

What Meta Has Promised, and What It Hasn’t

Meta’s stated protections are real, as far as they go. Usernames are not searchable. There is a rate limit on how many new people an account can contact. The “username key” adds an opt-in friction layer. High-profile names are reserved for their legitimate owners.

Meta has not explained how it decides which lookalike usernames get proactively held and which do not. “rbi_verify” being available during testing alongside the company’s promise to hold lookalikes suggests that the proactive reservation system is either not comprehensive or not yet operational. Those are meaningfully different problems, and the company has not clarified which applies.

WhatsApp announced the start of username reservations on June 29, 2026. The feature had been under development since 2023 and is planned to be available to users later this year. The period between reservation phase and full launch is where the real risk sits. If impersonation accounts can be reserved now and deployed the moment messaging via usernames goes live, the window for misuse is already open.

The Accountability Layer Phone Numbers Provided

Close-up of a smartphone displaying a fraud alert notification on a wooden surface.
Phone number verification previously provided a critical layer of account authentication and user protection. Image Credit: Pexels

A phone number was not just an identifier. It was a soft accountability layer. When someone called or messaged from an unrecognized number, the number itself was a clue. Country codes placed people geographically. Repeated contact from the same number was traceable. Even scammers had to burn through SIM cards to stay ahead of blocks, and in 2025 alone, Indian authorities deactivated 1.2 million SIM cards and froze 1.33 million mule accounts as part of their enforcement response. That friction is not a perfect defense, but it is a real one.

Usernames carry none of that. They are pseudonymous by design. The accountability chain from “@rbi_verify” back to a real person or a real phone number runs through Meta’s internal systems, which means it exists only to the extent that Meta cooperates with law enforcement inquiries. For countries like India, where authorities have repeatedly clashed with Meta over data access and traceability, that is a significant condition.

The government oversight of WhatsApp’s username feature comes just weeks after India temporarily banned Telegram to prevent exam fraud during a national test. Telegram’s username-based architecture was cited explicitly as part of what made enforcement difficult there, and India’s regulators have shown they are willing to act at the platform level when they consider the threat sufficient.

Read More: Trump Says He’d Be “The Greatest Communist in History” — Here’s What Those Words Really Mean

The Honest Trade-Off

A laptop displays a detailed cryptocurrency trading chart with candlestick patterns.
Enhanced privacy through usernames comes at the cost of reduced accountability and fraud prevention. Image Credit: Pexels

Privacy improvements on messaging platforms are worth having. The case for letting people contact each other without sharing phone numbers is real, especially for users who manage large groups, run small businesses, or simply do not want their number in the hands of strangers. That case does not disappear because a fraud risk exists alongside it.

The fraud risk in India is not hypothetical background noise. Digital arrest scams have taken money from retired military officers and 92-year-olds who believed they were under government investigation. Those scams already exploit impersonation of official-sounding identities. A system that makes it easier to claim “@cbi_officer” or “@rbi_verify” before those handles are locked down is not adding a new category of risk; it is handing existing criminals a more convincing tool.

WhatsApp’s safeguards, taken together, are not nothing. But the early testing results and the absence of a clear explanation from Meta about which lookalike names are protected suggest the system is not fully operational. The username reservation period has already started. Whether a celebrity’s actual representative or someone who noticed the handle was available got there first will not become visible until messaging goes live. By then, some of those handles will already be in someone else’s hands.

This article was produced with the assistance of AI editorial tools and reviewed by a human editor. The Amazing Times is committed to accuracy and editorial integrity. If you spot an error, please contact us.